Feature: Configurable signature thresholds per role.

Test results for features/security/signature_thresholds.feature

Running behat features/security/signature_thresholds.feature results in:

@rugged @security @signature-thresholds
Feature: Configurable signature thresholds per role.
  In order to keep a TUF systems secure,
  As a TUF administrator
  I need to be able to configure each role's signature threshold separately.

  Background:
    Given I rebuild fixtures

  Scenario: By default, each role only requires a single signature.
    When I run the Rugged command "rugged status --worker=root-worker"
    Then I should get:
      """
      === Repository status for root-worker ===
      Role       Capability    Signatures
      ---------  ------------  ------------
      targets    Signing       1 / 1
      snapshot   Signing       1 / 1
      timestamp  Signing       1 / 1
      root       Signing       2 / 1
      """
    And I should not get:
      """
      === Repository status for timestamp-worker ===
      === Repository status for snapshot-worker ===
      === Repository status for targets-worker ===
      """
    When I run the Rugged command "rugged status --worker=timestamp-worker"
    Then I should get:
      """
      === Repository status for timestamp-worker ===
      Role       Capability    Signatures
      ---------  ------------  ------------
      targets    Verification  1 / 1
      snapshot   Verification  1 / 1
      timestamp  Signing       1 / 1
      root       Verification  2 / 1
      """
    And I should not get:
      """
      === Repository status for root-worker ===
      === Repository status for snapshot-worker ===
      === Repository status for targets-worker ===
      """
    When I run the Rugged command "rugged status --worker=snapshot-worker"
    Then I should get:
      """
      === Repository status for snapshot-worker ===
      Role       Capability    Signatures
      ---------  ------------  ------------
      targets    Verification  1 / 1
      snapshot   Signing       1 / 1
      timestamp  Verification  1 / 1
      root       Verification  2 / 1
      """
    And I should not get:
      """
      === Repository status for root-worker ===
      === Repository status for timestamp-worker ===
      === Repository status for targets-worker ===
      """
    When I run the Rugged command "rugged status --worker=targets-worker"
    Then I should get:
      """
      === Repository status for targets-worker ===
      Role       Capability    Signatures
      ---------  ------------  ------------
      targets    Signing       1 / 1
      snapshot   Verification  1 / 1
      timestamp  Verification  1 / 1
      root       Verification  2 / 1
      """
    And I should not get:
      """
      === Repository status for root-worker ===
      === Repository status for timestamp-worker ===
      === Repository status for snapshot-worker ===
      """
    When I run "cat fixtures/tuf_repo/metadata/1.root.json"
    Then I should get:
      """
      "threshold": 1
      """
    And I should not get:
      """
      "threshold": 2
      """

  Scenario: Roles can be configured to require multiple signatures.
    Given I reset Rugged
    And I run "sudo cp features/fixtures/config/signature_thresholds.yaml /var/rugged/.config/rugged/config.yaml"
    And I run the Rugged command "rugged generate-keys"
    And I run the Rugged command "rugged initialize --local"
    When I run the Rugged command "rugged status --worker=root-worker"
    Then I should get:
      """
      === Repository status for root-worker ===
      Role       Capability    Signatures
      ---------  ------------  ------------
      targets    Signing       1 / 2
      snapshot   Signing       1 / 2
      timestamp  Signing       1 / 2
      root       Signing       2 / 2
      """
    And I should not get:
      """
      === Repository status for timestamp-worker ===
      === Repository status for snapshot-worker ===
      === Repository status for targets-worker ===
      """
    When I run "cat fixtures/tuf_repo/metadata/1.root.json"
    Then I should get:
      """
      "threshold": 2
      """
    And I should not get:
      """
      "threshold": 1
      """

2 scenarios (2 passed)
27 steps (27 passed)
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.